Players and Friends,

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Sincerely,
Mike Morhaime

change your passwords and security questions now, ill post the link of the security breach in blizz server once i bypass my office firewall to get the link

apparently your authenticator data is also compromised

or you could post your password here . we will assist you in the process.

will it affect our paypal accounts, info etc?

will it affect our paypal accounts, info etc?

how's paypal account is affected? i thought blizz server yang kena hack.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

sia-sia je buat password panjang berjela, have to change to another one

just changed my password for paypal.

gonna change my d3 password next.

in that order of importance. hahahhha

exactly what im feeling now lol, lucky i manage to cook up a new one that i can remember

still dulan how this couldve happened

---

Added on August 10, 2012, 9:43 am
just dont recycle ur passwords bro, got any other accs using the same pass, tukar also

recycle? meaning using back the old password that i once used for the account? doesnt matter if i change the password for different accounts using the same password but just swap rght?
ie: password123 for paypal to passwordabc
 
passwordabc for diablo to password 123

swapping diablo and paypal passwords?!

Hi folks, in the Bnet account management, where to click and change the security question ?

Username : uguysstillplayingdiablo3
Password : ialreadyuninstallandvendorallmyequips

We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.

If your account has been hacked, please view the previous post for information on contacting our support department.

We'd like to take a moment to address the recent reports that suggested that Battle.net® and Diablo® III may have been compromised. Historically, the release of a new game -- such as a World of Warcraft® expansion -- will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo III. We know how frustrating it can be to become the victim of account theft, and as always, we're dedicated to doing everything we can to help our players keep their Battle.net accounts safe -- and we appreciate everyone who's doing their part to help protect their accounts as well. You can read about ways to help keep your account secure, along with some of the internal and external measures we have in place to help us achieve our security goals, at our account security website here: http://www.battle.net/security" class="bml-link-url2">www.battle.net/security</a>.

We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them. In addition, we also recently introduced a new service called Battle.net SMS Protect, which allows you to use your text-enabled cell phone to unlock a locked Battle.net account, recover your account name, approve a password reset, or remove a lost Authenticator. Optionally, you can set up the Battle.net SMS Protect system to send you a text message whenever unusual activity is detected on your account, keeping you aware of important (and possibly unwanted) changes.

For more information on the Authenticator, visit http://us.battle.net/support/en/article/ba...thenticator-faq

For more on the Battle.net Mobile Authenticator, visit http://us.battle.net/support/en/article/ba...thenticator-faq

For more on Battle.net SMS Protect, visit http://us.battle.net/support/en/article/ba...net-sms-protect

We also have other measures built into Battle.net to help protect players. Occasionally, when Battle.net detects unusual login activity that differs from your normal behavior -- such as logging in from an unfamiliar location -- we may prompt you for additional information (such as the answer to one of your security questions) and/or require you to perform a password reset through the Battle.net website. World of Warcraft players might be familiar with this security method already, and Diablo III players may begin to encounter it as well.

As always, if you think you've been the victim of an account compromise, head to the "Help! I've Been Hacked!" tool at <a href="http://us.battle.net/en/security/help for assistance.

Just had a thought.

So I've had some time to sit down and think about this. This hacking is very bad. At this point, the attackers have got your

• email address
  
• secret question and answer
  
• salted passwords[
  

I would like to state that even though the passwords are salted, its still crackable. Any basic maths geek will be able to tell you that with a large enough database, the constants can be deduced easily. This leaves your real password.

I have read an article about this and I think the author is on the right track when he says SRP may not be strong enough. Link to article. Read if you are interested in the theory of it.

But note that the author is an interested party when bashing Blizz AND like he said, its impossible to avoid break-ins. Although as long as there was a battlenet server to store and maintain user's characters, this would have happened. It doesn't matter if there was an offline aspect to D3.

I got a korean email from blizzard telling me to change password ( Legit from blizzard ).
This is it, Diablo 3 is finally dead to me.

goodbye

http://us.battle.net/d3/en/forum/topic/6308360812?page=1

Har har harr in your face blizzard fan boys.
You flame those people who said they got hacked when the game released.
Now youre blaming "Ohh every system can be hack".

you might want to look up what is the definition of blame.

either way kulle story bro